Monday, July 13, 2009

Yet another example of the trusted insider threat against intellectual property.

In the days before his June 5 resignation from Goldman Sachs, Aleynikov copied, encrypted and transferred approximately 32MB of proprietary code to a server located in Germany, the FBI claimed

Exfiltration is a difficult threat to address. You can try to prevent it by limiting outbound protocols and connectivity. But covert channels are always possible, even something as simple as uploading using a protocol other than HTTP running over port 80/tcp.

Detection may be possible if you have a device that can detect proprietary keywords. A proxy server requiring authentication and providing adequate logging can facilitate incident response: determining the extent of the incident and finding the culprit.

I deduce that Goldman Sachs is either lucky or has a pretty good start on solving this problem.

Aleynikov resigned to take a job with a new company "that intended to engage in high-volume automated trading," for triple his $400,000 salary, the complaint said.

...he was allegedly a vice president of equity strategy.

The reality is, the higher you go up the executive chain, usually the harder it is to enforce rules. That's another reason that security programs are only successful when the CEO and board want it, demand it, and make sure they get it.

Wednesday, July 08, 2009

I feel the recent action of the FTC against a rogue ISP, documented in this article, marks a shift in the tides in the war against spam.

It seems much of the junk email originates from ISPs that refuse to follow the rules, allowing anonymous spammers to register domains with false information.

As a user of Knujon for some time, I've been eagerly reading about their recent successes working with ICANN for stricter enforcement of rules, resulting in many rogue ISPs being shut down.

As of this writing, Knujon has shut down over 200 thousand junk email sites according to their website. I've already written about Knujon, but it seems the momentum is building.

Shutting down rogue ISPs can be successful in making the cost/benefit equation less favorable for spammers and criminals by making domains harder and more expensive to obtain. If so, perhaps we will start to see a noticeable decline in spam around the world. Maybe it has already started? Or maybe not.

The problem is giant, so I suspect it will still be some years away, but I think we are seeing the signs that this approach will work.

The article above also mentions that other criminal activity was curtailed by shutting down this rogue ISP. Cool.

Friday, July 03, 2009

I am getting kind of burned out on computer security. I know, I know, it's only been 14 years that I have been in the trenches and, after all, we are making such tremendous progress in the infosec industry in that brief span of time.

Now instead of curious geeks hacking computers for fun and irritating people, we have widespread criminal activity. Instead of passwords, we're now using... um. Nevermind. And we went from having no network boundary enforcement to... err... having no network boundaries. Software security bugs are a thing of the past. And present. And forseeable future. But hey, at least hackers are targeting networks and systems less. Now they're just targeting people and client software. Cool. That's lots better.

Speaking of criminal activity. Here's yet another example of a phishing attack working. Criminals stole over $400,000 from a municipality's bank account. Why did this attack work? You could blame user(s) for giving away the info, falling for the phishing scheme. Or blame it on a lack of awareness training. But folks, the phishing attacks are getting so sophisticated even very experienced infosec professionals have a hard time.

Seems to me these attacks work because it is difficult to reliably verify trustworthiness of messages or senders. The same issue makes it easy for spammers to make / steal money. With a widely deployed SMTP infrastructure, how do we make improvements?